AWS Direct Connect

AWS Direct Connect is a network service that provides an alternative to using the Internet to connect users’ on premise sites to AWS. Using AWS Direct Connect, users can establish private connectivity between AWS and their datacenter, office, or colocation environment, which in can reduce the network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections. AWS Direct Connect lets users establish 1 Gbps or 10 Gbps dedicated network connections (or multiple connections) between AWS networks and one of the AWS Direct Connect locations. It uses industry-standard VLANs to access Amazon Elastic Compute Cloud (Amazon EC2) instances running within an Amazon VPC using private IP addresses.

  • Users can choose from an ecosystem of WAN service providers for integrating the AWS Direct Connect endpoint in an AWS Direct Connect location with the remote networks.
  • Users can also work with their provider to create sub-1G connection or use link aggregation group (LAG) to aggregate multiple 1 gigabit or 10 gigabit connections at a single AWS Direct Connect endpoint, which allows them to treat them as a single, managed connection.
  • A Direct Connect gateway is a globally available resource, that allows users to connect their AWS Direct Connect connection to one or more VPCs in their account that are located in the same or different regions.
    • Users can create the Direct Connect gateway in any public region and access it from all other public regions, which also allows them to connect to any of the participating VPCs from any Direct Connect location, further reducing the costs for using AWS services on a cross-region basis. The following figure illustrates this pattern.
AWS Direct Connect

AWS Direct Connect Benefits

AWS Direct Connect makes it easy to scale users connection to meet your needs. AWS Direct Connect provides 1 Gbps and 10 Gbps connections, and they can easily provision multiple connections if they need more capacity. Users can also use AWS Direct Connect instead of establishing a VPN connection over the Internet to the Amazon VPC, avoiding the need to utilize VPN hardware that frequently can’t support data transfer rates above 4 Gbps.

For bandwidth-heavy workloads that run in AWS, AWS Direct Connect reduces the network costs into and out of AWS in two ways. First, by transferring data to and from AWS directly, users can reduce the bandwidth commitment to the Internet service provider. Second, all data transferred over the dedicated connection is charged at the reduced AWS Direct Connect data transfer rate rather than Internet data transfer rates.

With AWS Direct Connect, users can choose the data that utilizes the dedicated connection and how that data is routed which can provide a more consistent network experience over Internet-based connections. AWS Direct Connect is a network service, and works with all AWS services that are accessible over the Internet, such as Amazon Simple Storage Service (Amazon S3), Elastic Compute Cloud (Amazon EC2), and Amazon Virtual Private Cloud (Amazon VPC).

AWS Direct Connect can be used to establish a private virtual interface from on-premise network directly to the Amazon VPC, providing users with a private, high bandwidth network connection between network and VPC. With multiple virtual interfaces, users can even establish private connectivity to multiple VPCs while maintaining network isolation. AWS Management Console provides a single view to efficiently manage all the connections and virtual interfaces. 

AWS Direct Connect Features

With AWS Direct Connect + VPN, users can combine one or more AWS Direct Connect dedicated network connections with the Amazon VPC VPN. This combination provides an IPsec-encrypted private connection that also reduces network costs, increases bandwidth throughput, and provides a more consistent network experience than internet-based VPN connections.

  • Users can use AWS Direct Connect to establish a dedicated network connection between the network create a logical connection to public AWS resources, such as an Amazon virtual private gateway IPsec endpoint.
  • This solution combines the AWS managed benefits of the VPN solution with low latency, increased bandwidth, more consistent benefits of the AWS Direct Connect solution, and an end-to-end, secure IPsec connection.

When predictable latency and throughput are required, AWS Direct Connect is the recommended choice. It provides deterministic performance. Bandwidth could be selected based on throughput requirements. AWS recommends using AWS Direct Connect when a customer requires a more consistent network experience than -based connections. Private Virtual Interface (VIF) and Transit VIF support jumbo frames which reduce number of packets (and overheads) through the network and can improve throughput.

  • Using a VPN over AWS Direct Connect adds encryption. However, it reduces MTU size which might reduce throughput.
  • AWS managed S2S VPN technical capabilities can be found in the technical documentation. It is worth noting that AWS Transit Gateway allows customers to horizontally scale the number of VPN connections and throughput accordingly with Equal-cost multi-path routing (ECMP).

Building on the AWS managed VPN and AWS Direct Connect options, users can securely communicate from one site to another using the AWS VPN CloudHub. The AWS VPN CloudHub operates on a simple hub-andspoke model that can be used with or without a VPC. Using this design is helpful for those, who have multiple branch offices and existing internet connections and would like to implement a convenient, potentially low cost hub-and-spoke model for primary or backup connectivity between these remote offices.

  • AWS VPN CloudHub leverages an Amazon VPC virtual private gateway with multiple gateways, each using unique Border Gateway Protocol (BGP) autonomous system numbers (ASNs).
  • The gateways advertise the appropriate routes (BGP prefixes) over their VPN connections. These routing advertisements are received and readvertised to each BGP peer so that each site can send data to and receive data from the other sites. 
  • The remote network prefixes for each spoke must have unique ASNs, and the sites must not have overlapping IP ranges. Each site can also send and receive data from the VPC as if they were using a standard VPN connection.

If  located within a facility which has AWS Direct Connect, users can establish a cross connect to AWS. This means using dedicated connection that comes at fixed sizes. AWS Direct Connect partner offer further bandwidth granularity and smaller sizes which may optimize the connectivity cost. While users are charged for the number of connections that they make to the AWS Transit Gateway per hour and the amount of traffic that flows through AWS Transit Gateway it simplifies management and reduces number of VPN connections and VIFs required. 

Optionally you can consider a design where AWS Transit Gateway is in the traffic path to most VPCs but not all. This approach avoids the AWS Transit Gateway data processing fees for use cases where users require to transfer very large amounts of data into AWS. Another approach it to combine AWS Direct Connect as a primary path and use AWS S2S VPN over the internet as backup/failover path.

  • While technically feasible and very cost effective, this solution has technical downsides. AWS doesn’t recommend it for highly critical or critical workloads.

Transferring large data sets over the Internet can be time consuming and expensive. When using the cloud, users can find that transferring large data sets can be slow because the business critical network traffic is contending for bandwidth with other Internet usage. To decrease the amount of time required to transfer the data, users could increase the bandwidth to the Internet service provider, which frequently requires a costly contract renewal and a minimum commitment.

  • With AWS Direct Connect, users can transfer the business critical data directly from datacenter, office, or colocation environment into and from AWS bypassing the Internet service provider and removing network congestion.
  • AWS Direct Connect’s simple pay as-you-go pricing, and no minimum commitment means users pay only for the network ports used and the data transfer over the connection, which can greatly reduce the networking costs.

Applications that use real-time data feeds can also benefit from using AWS Direct Connect. For example, applications such as voice and video perform best when network latency remains constant. Network latency over the Internet can vary given that the Internet is constantly changing how data gets from point A to B.

  • With AWS Direct Connect, users control how the data is routed, which can provide a more consistent network experience over Internet-based connections.

AWS Direct Connect can help build hybrid environments that satisfy regulatory requirements requiring the use of private connectivity. Hybrid environments allow users to combine the elasticity and economic benefits of AWS with the ability to utilize other infrastructure that you already own.

AWS Direct Connect connections

 
AWS Direct Connect

AWS Direct Connect enables users to establish a dedicated network connection between the network and one of the AWS Direct Connect locations. There are two types of connections:

  • Dedicated Connection: A physical Ethernet connection associated with a single customer. Users can request a dedicated connection through the AWS Direct Connect console, the CLI, or the API.
  • Hosted Connection: A physical Ethernet connection that an AWS Direct Connect Partner provisions on behalf of a customer. Users request a hosted connection by contacting a partner in the AWS Direct Connect Partner Program, who provisions the connection.

Dedicated connections

To create an AWS Direct Connect dedicated connection, users need the following information:

AWS Direct Connect location: Work with a partner in the AWS Direct Connect Partner Program to help establish network circuits between an AWS Direct Connect location and the data center, office, or colocation environment. They can also help provide colocation space within the same facility as the location.

Port speed: The possible values are 1Gbps and 10Gbps. Users cannot change the port speed after creating the connection request. To change the port speed, you must create and configure a new connection. After request the connection, AWS makes a Letter of Authorization and Connecting Facility Assignment (LOA-CFA) available to download, or emails with a request for more information.

  • If received a request for more information, users needs to respond within 7 days or the connection is deleted.
  • The LOA-CFA is the authorization to connect to AWS, and is required by the network provider to order a cross connect.
  • For those users do not have equipment in the AWS Direct Connect location, they cannot order a cross connect for themselves there.
Hosted connections

To create an AWS Direct Connect hosted connection, users need the following information:

AWS Direct Connect location: Work with an AWS Direct Connect Partner in the AWS Direct Connect Partner Program to help users establish network circuits between an AWS Direct Connect location and your data center, office, or colocation environment. They can also help provide colocation space within the same facility as the location. 

Port speed: For hosted connections, the possible values are 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, 500Mbps, 1Gbps, 2Gbps, 5Gbps, and 10Gbps. Note that only those AWS Direct Connect partners who have met specific requirements may create a 1Gbps, 2Gbps, 5Gbps or 10Gbps hosted connection.

  • Users cannot change the port speed after creating the connection request. To change the port speed, users needs to create and configure a new connection.
  • AWS uses traffic policing on hosted connections, which means that when the traffic rate reaches the configured maximum rate, excess traffic is dropped. This might result in bursty traffic having a lower throughput than non-bursty traffic.

Amazon Redshift performance 

AWS Direct Connect users can achieve development and test resiliency for non-critical workloads by using separate connections that terminate on separate devices in one location (as shown in the following figure). This model provides resiliency against device failure, but does not provide resiliency against location failure. The following are important Resources:

  • Connection: The AWS Direct Connect connection or link aggregation group (LAG) for which you are creating the virtual interface.
  • Virtual interface name: A name for the virtual interface.
  • Virtual interface owner: When creating the virtual interface for another account, users need the AWS account ID of the other account.
  • (Private virtual interface only) Connection: For connecting to a VPC in the same AWS Region, users need the virtual private gateway for your VPC. The ASN for the Amazon side of the BGP session is inherited from the virtual private gateway. During the creation of a virtual private gateway, users can specify own private ASN. Otherwise, Amazon provides a default ASN. For connecting to a VPC through a Direct Connect gateway, users need the Direct Connect gateway.
  • VLAN: A unique virtual local area network (VLAN) tag that’s not already in use on customers connection. The value must be between 1 and 4094 and must comply with the Ethernet 802.1Q standard. This tag is required for any traffic traversing the AWS Direct Connect connection. If hosting a connection, users AWS Direct Connect Partner provides this value. Users can’t modify the value after they have created the virtual interface.
  • Peer IP addresses: A virtual interface can support a BGP peering session for IPv4, IPv6, or one of each (dual-stack). You cannot create multiple BGP sessions for the same IP addressing family on the same virtual interface. The IP address ranges are assigned to each end of the virtual interface for the BGP peering session.
    • IPv4: (Public virtual interface only) users must specify unique public IPv4 addresses that they own. The value can be one of the following: A customer-owned ASN; An ASN owned by users AWS Direct Connect Partner or ISP; And An AWS provided /31 CIDR. Contact contact AWS Support to request a public IPv4 CIDR 

    • (Private virtual interface only) Amazon can generate private IPv4 addresses. If specifying own, ensure that the specified private CIDRs for the router interface and the AWS Direct Connect interface only 

    • IPv6: Amazon automatically allocates you a /125 IPv6 CIDR. Users cannot specify their own peer IPv6 addresses
  • Address family: Whether the BGP peering session will be over IPv4 or IPv6.
      • A public or private Border Gateway Protocol (BGP) Autonomous System Number (ASN) for your side of the BGP session. If using a public ASN, users must own it. If using a private ASN, it must be in the 1 to 2147483647 range. Autonomous System (AS) prepending does not work if using a private ASN for a public virtual interface.

      • AWS enables MD5 by default. users cannot modify this option.

      • An MD5 BGP authentication key. Users can provide own, or  let Amazon generate one for them.

    (Public virtual interface only) Prefixes to advertise: Public IPv4 routes or IPv6 routes to advertise over BGP. users must advertise at least one prefix using BGP, up to a maximum of 1,000 prefixes.

    • IPv4: The IPv4 CIDR must not overlap with another public IPv4 CIDR announced using AWS Direct Connect. If users do not own public IPv4 addresses, the network provider might be able to provide with a public IPv4 CIDR. If not, contact AWS Support to request a public IPv4 CIDR. Users can specify any prefix length.

    • IPv6: Specify a prefix length of /64 or shorter.BGP information: 

  • (Private virtual interface only) Jumbo frames: The maximum transmission unit (MTU) of packets over AWS Direct Connect. The default is 1500. Setting the MTU of a virtual interface to 9001 (jumbo frames) can cause an update to the underlying physical connection if it wasn’t updated to support jumbo frames. Updating the connection disrupts network connectivity for all virtual interfaces associated with the connection for up to 30 seconds.prefixes.
     
    • Jumbo frames apply only to propagated routes from AWS Direct Connect. When adding static routes to a route table that point to the virtual private gateway, then traffic routed through the static routes is sent using 1500 MTU.
    • To check whether a connection or virtual interface supports jumbo frames, select it in the AWS Direct Connect console and find Jumbo Frame Capable on the Summary tab

Working with Direct Connect gateways

#01

Direct Connect gateways

 
 

Direct Connect gateway is a grouping of virtual private gateways (VGWs) and private virtual interfaces (VIFs). Users can use the new Direct Connect Gateway to establish connectivity that spans Virtual Private Clouds (VPCs) spread across multiple AWS Regions. Users don’t longer need to establish multiple BGP sessions for each VPC; this reduces administrative workload as well as the load on network devices.

  • When using Direct Connect gateway, traffic will take the shortest path from the Direct Connect location to the destination AWS Region and vice versa regardless of the associated home AWS Region of the Direct Connect location that users are connected at.
  • Networking features such as Elastic File System, Elastic Load Balancer, Application Load Balancer, Security Groups, Access Control List, AWS PrivateLink will still work with Direct Connect gateway.
  • CloudHub enables connectivity between on-premise network using Direct Connect or VPN within the same region the VIF is associated with the VGW directly. Existing CloudHub functionality will continue to be supported.
  • Direct Connect gateway will not support CloudHub functionality, but if using AWS Classic VPN or AWS VPN connection to VGW that is associated with the  Direct Connect gateway, users will be able to use the VPN connection to failover.
  • Features that are currently not supported by Direct Connect, AWS Classic VPN, or AWS VPN, such as edge-to-edge routing, VPC peering, VPC endpoint, will not be supported by Direct Connect gateway.

Multi-account support for Direct Connect gateway will allow users to associate up to 10 Amazon Virtual Private Clouds (Amazon VPCs) or up to 3 AWS Transit Gateways from multiple AWS accounts with a Direct Connect gateway. Users associate an AWS Direct Connect gateway with either of the following gateways:

  • A transit gateway when having multiple VPCs in the same Region
  • A virtual private gateway

A Direct Connect gateway is a globally available resource. Users can create the Direct Connect gateway in any Region and access it from all other Regions. users can use a Direct Connect gateway in the following scenarios.

A Direct Connect gateway does not allow gateway associations that are on the same Direct Connect gateway to send traffic to each other (for example, a virtual private gateway to another virtual private gateway). A Direct Connect gateway does not prevent traffic from being sent from one gateway association back to the gateway association itself. If the configuration have multiple VPCs connected to the same transit gateway, the VPCs could communicate. To prevent the VPCs from communicating, use separate transit gateway attachments, and then associate a route table with the attachments that have the blackhole option set.

Direct Connect gateway three main functions
  1. Direct Connect gateway will enable users to interface with VPCs in any AWS Region (except AWS China Region), enabling to use the AWS Direct Connect connections to interface with more than one AWS Regions.
  2. Users can share a private virtual interface to interface with up to ten Virtual Private Clouds (VPCs), enabling to reduce the number of Border gateway Protocol sessions between on-premises network and AWS deployments.
  3. By attaching transit virtual interface(s) to a Direct Connect gateway and associating Transit Gateway(s) with the Direct Connect gateway, users can share transit virtual interface(s) to interface with up to three Transit Gateways, enabling to reduce the number of Border Gateway Protocol sessions between on-premises network and AWS deployments.

Each VPC has a virtual private gateway that connects to the Direct Connect gateway using a virtual private gateway association. The Direct Connect gateway uses a private virtual interface for the connection to the AWS Direct Connect location. There is an AWS Direct Connect connection from the location to the customer data center.

A virtual private gateway is a logical, fully redundant distributed edge routing function that sits at the edge of  VPC. As it is capable of terminating VPN connections from users on-premises or users environments, the VPG is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection. A Virtual Private Gateway is a way for users to land in the cloud when creating a VPN tunnel. Users can create up to 10 VPN tunnels to the exterior, Non-VPC networking locations per VPG interfaced and each of these tunnels will be connected using the IPSec protocol.

Users have the ability to create static or dynamic routes through the VPG. For any new virtual gateways, a configurable private Autonomous System Number (ASN) allows customers to set the ASN on the Amazon side of the BGP session for VPNs and AWS Direct Connect private VIFs. When BGP routing is exposed to the Customer Gateway ( an important step in configuring the VPN connection to work with your VPG ) from the edge router or firewall, the CGW repeats those learned routes to the VPG which completes the dynamic routing circuit into the cloud.

Users can use an AWS Direct Connect gateway to connect the AWS Direct Connect connection over a private virtual interface to one or more VPCs in any account that are located in the same or different Regions. Users associate a Direct Connect gateway with the virtual private gateway for the VPC. Then, create a private virtual interface for the AWS Direct Connect connection to the Direct Connect gateway. Users can attach multiple private virtual interfaces to the Direct Connect gateway. The following rules apply to virtual private gateway associations:

  • There are limits for creating and using Direct Connect gateways. For more information, see AWS Direct Connect quotas.
  • The VPCs to which users connect through a Direct Connect gateway cannot have overlapping CIDR blocks. If adding an IPv4 CIDR block to a VPC that’s associated with a Direct Connect gateway, ensure that the CIDR block does not overlap with an existing CIDR block for any other associated VPC. 
  • Users cannot create a public virtual interface to a Direct Connect gateway.
  • A Direct Connect gateway supports communication between attached private virtual interfaces and associated virtual private gateways only. The following traffic flows are not supported:
    • Direct communication between the VPCs that are associated with a single Direct Connect gateway. This includes traffic from one VPC to another by using a hairpin through an on-premises network through a single Direct Connect gateway.
    • Direct communication between the virtual interfaces that are attached to a single Direct Connect gateway.
    • Direct communication between the virtual interfaces that are attached to a single Direct Connect gateway and a VPN connection on a virtual private gateway that’s associated with the same Direct Connect gateway.
  • Users cannot associate a virtual private gateway with more than one Direct Connect gateway and cannot attach a private virtual interface to more than one Direct Connect gateway.
  • A virtual private gateway that users associate with a Direct Connect gateway must be attached to a VPC.
  • A virtual private gateway association proposal expires 7 days after it is created.
  • An accepted virtual private gateway proposal, or a deleted virtual private gateway proposal remains visible for 3 days.
  • A virtual private gateway can be associated with a Direct Connect gateway and also attached to a virtual interface.

To connect AWS Direct Connect connection to a VPC in the same Region only, users can create a Direct Connect gateway. Or, create a private virtual interface and attach it to the virtual private gateway for the VPC. 

To use AWS Direct Connect connection with a VPC in another account, Users can create a hosted private virtual interface for that account. When the owner of the other account accepts the hosted virtual interface, they can choose to attach it either to a virtual private gateway or to a Direct Connect gateway in their account. 

Virtual private gateway associations

The prefix list (IPv4 and IPv6) acts as a filter that allows the same CIDRs, or a smaller range of CIDRs to be advertised to the Direct Connect gateway. Users must set the prefixes to a range that is the same or wider than the VPC CIDR block.

Consider the scenario where users have a VPC with CIDR 10.0.0.0/16 is attached to a virtual private gateway.

  • When the allowed prefixes list is set to 22.0.0.0/24, users do not receive any route because 22.0.0.0/24 is not the same as, or wider than 10.0.0.0/16.
  • When the allowed prefixes list is set to 10.0.0.0/24, users do not receive any route because 10.0.0.0/24 is not the same as 10.0.0.0/16.
  • When the allowed prefixes list is set to 10.0.0.0/15, users do receive 10.0.0.0/16, because the IP address is wider than 10.0.0.0/16.
 

#02

Virtual private gateway

 
 

 

#03

Transit gateway

 
 

AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies users network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once. Users can expand globally, inter-Region peering connects AWS Transit Gateways together using the AWS global network. Data is automatically encrypted, and never travels over the public internet. And, because of its central position, AWS Transit Gateway Network Manager has a unique view over your entire network, even connecting to Software-Defined Wide Area Network (SD-WAN) devices.

  • AWS Transit Gateway acts as a cloud router to simplify the network architecture. As the network grows, the complexity of managing incremental connections doesn’t slow down. When building global applications, users can connect AWS Transit Gateways using inter-Region peering.
  • With AWS Transit Gateway Network Manager, users can easily monitor the Amazon VPCs and edge connections from a central console. Integrated with popular SD-WAN devices, AWS Transit Gateway Network Manager helps users quickly identify issues and react to events on the global network.
  • Traffic between an Amazon VPC and AWS Transit Gateway remains on the AWS global private network and is not exposed to the public internet. AWS Transit Gateway inter-Region peering encrypts all traffic, with no single point of failure or bandwidth bottleneck. This helps protect against distributed denial of service (DDoS) attacks and other common exploits.
  • AWS Transit Gateway multicast support distributes the same content to multiple specific destinations. This eliminates the need for expensive on-premises multicast networks and reduces the bandwidth needed for high-throughput applications such as video conferencing, media, or teleconferencing

users  can use an AWS Direct Connect gateway to connect the AWS Direct Connect connection over a transit virtual interface to the VPCs or VPNs that are attached to the transit gateway. Users associate a Direct Connect gateway with the transit gateway. Then, create a transit virtual interface for the AWS Direct Connect connection to the Direct Connect gateway. The following rules apply to transit gateway associations:

  • Users cannot attach a Direct Connect gateway to a transit gateway when the Direct Connect gateway is already associated with a virtual private gateway or is attached to a private virtual interface.
  • There are limits for creating and using Direct Connect gateways
  • A Direct Connect gateway supports communication between attached transit virtual interfaces and associated transit gateways only.
  • When connecting to multiple transit gateways that are in different Regions, use unique ASNs for each transit gateway.
Transit gateway associations

For a transit gateway association, users provision the allowed prefixes list on the Direct Connect gateway. The list routes traffic from on-premises to AWS, to the transit gateway even when the VPCs attached to the transit gateway do not have assigned CIDRs. Prefixes in the Direct Connect gateway allowed prefix list originate on the Direct Connect gateway and are advertised to the on-premises network. Consider the scenario where you have a VPC with CIDR 10.0.0.0/16 attached to a transit gateway.

  • When the allowed prefixes list is set to 22.0.0.0/24, users receive 22.0.0.0/24 through BGP on the transit virtual interface. Users do not receive 10.0.0.0/16 because we directly provision the prefixes that are in the allowed prefix list.
  • When the allowed prefixes list is set to 10.0.0.0/24, users receive 10.0.0.0/24 through BGP on the transit virtual interface. You do not receive 10.0.0.0/16 because we directly provision the prefixes that are in the allowed prefix list.
  • When the allowed prefixes list is set to 10.0.0.0/8, users receive 10.0.0.0/8 through BGP on the transit virtual interface.
Transit gateway associations

The transit gateway solution involves the following components:

  • A transit gateway that has VPC attachments.
  • A Direct Connect gateway.
  • An association between the Direct Connect gateway and the transit gateway.
  • A transit virtual interface that is attached to the Direct Connect gateway.
 

This configuration offers the following benefits. users can:

  • Manage a single connection for multiple VPCs or VPNs that are in the same Region.
  • Advertise prefixes from on-premises to AWS and from AWS to on-premises.
 
Transit gateway associations across accounts

Consider this scenario of a Direct Connect gateway owner (Account Z) who owns the Direct Connect gateway. Account A owns the transit gateway and wants to use the Direct Connect gateway. Account Z accepts the association proposals and can optionally update the prefixes that are allowed from Account A’s transit gateway. After Account Z accepts the proposals, the VPCs attached to the transit gateway can route traffic from the transit gateway to the Direct Connect gateway. Account Z also owns the routing to the customers because Account Z owns the gateway.

Resiliency Toolkit

 

 

AWS offers customers the ability to achieve highly resilient network connections between Amazon Virtual Private Cloud (Amazon VPC) and their on-premises infrastructure. The AWS Direct Connect Resiliency Toolkit provides a connection wizard with multiple resiliency models. These models help to determine, and then place an order for the number of dedicated connections to achieve the SLA objective. Users select a resiliency model, and then the AWS Direct Connect Resiliency Toolkit guides them through the dedicated connection ordering process. The resiliency models are designed to ensure the appropriate number of dedicated connections in multiple locations.

The AWS Direct Connect Resiliency Toolkit has the following benefits:

  • Provides guidance on how to determine and then order the appropriate redundant AWS Direct Connect dedicated connections.
  • Ensures that the redundant dedicated connections have the same speed.
  • Automatically configures the dedicated connection names.
  • Automatically approves  dedicated connections when users have an existing AWS account and select a known AWS Direct Connect Partner. The Letter of Authority (LOA) is available for immediate download.
  • Automatically creates a support ticket for the dedicated connection approval when users are a new AWS customer, or select an unknown (Other) partner.
  • Provides an order summary for dedicated connections, with the SLA that users can achieve and the port-hour cost for the ordered dedicated connections.
  • Creates link aggregation groups (LAGs), and adds the appropriate number of dedicated connections to the LAGs when to choose a speed other than 1 Gbps or 10 Gbps.
  • Provides a LAG summary with the dedicated connection SLA can achieve, and the total port-hour cost for each ordered dedicated connection as part of the LAG.
  • Prevents users from terminating the dedicated connections on the same AWS Direct Connect device.
  • Provides a way to test the  configuration for resiliency. Users work with AWS to bring down the BGP peering session in order to verify that traffic routes to one of redundant virtual interfaces. 
  • Provides Amazon CloudWatch metrics for connections and virtual interfaces. 
 

The following resiliency models are available in the AWS Direct Connect Resiliency Toolkit:

  • Maximum Resiliency: This model provides a way to order dedicated connections to achieve an SLA of 99.99%. It requires users to meet all of the requirements for achieving the SLA that are specified in the AWS Direct Connect Service Level Agreement.
  • High Resiliency: This model provides a way to order dedicated connections to achieve an SLA of 99.9%. It requires users to meet all of the requirements for achieving the SLA that are specified in the AWS Direct Connect Service Level Agreement.
  • Development and Test: This model provides users a way to achieve development and test resiliency for non-critical workloads, by using separate connections that terminate on separate devices in one location.
  • Classic. This model is intended for users that have existing connections and want to add additional connections. This model does not provide an SLA.

Security

AWS Direct Connect

The AWS shared responsibility model applies to data protection in AWS Direct Connect. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. Users are responsible for maintaining control over the content that is hosted on this infrastructure. This content includes the security configuration and management tasks for the AWS services that you use. For data protection purposes, AWS recommend that users protect AWS account credentials and set up individual user accounts with AWS Identity and Access Management (IAM). That way each user is given only the permissions necessary to fulfill their job duties. 

  • Use multi-factor authentication (MFA) with each account.
  • Use SSL/TLS to communicate with AWS resources. AWS recommend TLS 1.2 or later. 
  • Set up API and user activity logging with AWS CloudTrail.
  • Use AWS encryption solutions, along with all default security controls within AWS services.
  • Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.
  • If required FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a Federal Information Processing Standard (FIPS) endpoint. 

AWS Direct Connect does not encrypt users traffic that is in transit. To encrypt the data in transit that traverses AWS Direct Connect, users must use the transit encryption options for that service. 

  • With AWS Direct Connect and AWS Site-to-Site VPN, users can combine one or more AWS Direct Connect dedicated network connections with the Amazon VPC VPN. This combination provides an IPsec-encrypted private connection that also reduces network costs, increases bandwidth throughput, and provides a more consistent network experience than internet-based VPN connections.

The AWS Direct Connect Resiliency Toolkit provides a connection wizard with multiple resiliency models that helps users order dedicated connections to achieve the SLA objective. Users select a resiliency model, and then the AWS Direct Connect Resiliency Toolkit guides users through the dedicated connection ordering process. The resiliency models are designed to ensure that you have the appropriate number of dedicated connections in multiple locations.

  • Maximum Resiliency: Users can achieve maximum resiliency for critical workloads by using separate connections that terminate on separate devices in more than one location. This model provides resiliency against device, connectivity, and complete location failures.
  • High Resiliency: Users can achieve high resiliency for critical workloads by using two single connections to multiple locations. This model provides resiliency against connectivity failures caused by a fiber cut or a device failure. It also helps prevent a complete location failure.
  • Development and Test: users can achieve development and test resiliency for non-critical workloads by using separate connections that terminate on separate devices in one location. This model provides resiliency against device failure, but does not provide resiliency against location failure.
 
 

AWS Direct Connect is a network service that provides an alternative to using the Internet to connect users’ on premise sites to AWS. Using AWS Direct Connect, users can establish private connectivity between AWS and their datacenter, office, or colocation environment, which in can reduce the network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections. AWS Direct Connect lets users establish 1 Gbps or 10 Gbps dedicated network connections (or multiple connections) between AWS networks and one of the AWS Direct Connect locations. It uses industry-standard VLANs to access Amazon Elastic Compute Cloud (Amazon EC2) instances running within an Amazon VPC using private IP addresses.

  • Users can choose from an ecosystem of WAN service providers for integrating the AWS Direct Connect endpoint in an AWS Direct Connect location with the remote networks.
  • Users can also work with their provider to create sub-1G connection or use link aggregation group (LAG) to aggregate multiple 1 gigabit or 10 gigabit connections at a single AWS Direct Connect endpoint, which allows them to treat them as a single, managed connection.
  • A Direct Connect gateway is a globally available resource, that allows users to connect their AWS Direct Connect connection to one or more VPCs in their account that are located in the same or different regions.
    • Users can create the Direct Connect gateway in any public region and access it from all other public regions, which also allows them to connect to any of the participating VPCs from any Direct Connect location, further reducing the costs for using AWS services on a cross-region basis. The following figure illustrates this pattern.